Cloud and Web Application Security: Growing Confidence and Emerging Gaps

For modern organisations, digital transformation is increasingly the only game in town. CIOs are turning to multiple cloud providers in their droves to offer them agile new app-based models, driving enhanced business agility to meet ever-changing market demands. Yet security remains a constant challenge. Web applications themselves remain a major target for data theft and DDoS. A Verizon report from earlier this year claimed that a quarter of breaches it analysed stemmed from web app attacks.

So, what are organisations doing about it? The results of a new Barracuda Networks report reveal some interesting findings.

Cloud maturity grows

The poll of over 850 security professionals from around the world reveals a growing confidence in public cloud deployments. Over two-fifths (44%) now believe them to be as secure as on-premises environments, while 21% claim they are even more secure. What’s more, 60% say they are “fairly” or “very” confident that their organisation’s use of cloud technology is secure. 

This makes sense. After all, cloud providers are capable of running more modern, secure infrastructure than many organisations could in-house. That means customers benefit from the latest technology, accredited to the highest security standards, versus heterogeneous, legacy-heavy in-house environments. As long as they pick the right third-party security partners and understand the concept of shared responsibility in the cloud, cyber risk can be mitigated effectively. The cloud even offers more options for back-up and redundancy to further minimise risk.

Yet this isn’t the whole picture. Respondents to the study are still reluctant about hosting highly sensitive data in the cloud, with customer information (53%) and internal financial data (55%) topping the list. They complain of cybersecurity skills shortages (47%) and a lack of visibility (42%) as hampering cloud security efforts. And over half (56%) aren’t confident that their cloud set-up is compliant.  

Could some of these concerns be linked to web application threats?

Websites under attack

The truth is that web apps are a ubiquitous but often poorly understood part of the modern cloud-centric organisation. As a business-critical method of delivering experiences to customers and productivity enhancing capabilities to employees, web apps are a major target for cyber-criminals looking to steal sensitive data and interrupt key business processes. A Forrester study from 2018 found that the leading cause of successful breaches was external attacks — the most common of which focused on web applications (36%).

Fortunately, Barracuda Networks’ survey finds more than half (59%) of global firms have web app firewalls (WAFs) in place to mitigate these threats. The most popular option is sourcing a WAF from a third-party provider (32%), which makes sense, as long as they can protect their customers from the automated bot-driven traffic that dominates the threat landscape. Not all can.

Patching and configuring

However, of greater concern is the fact that many organisations don’t appear taking the threat of web app vulnerabilities seriously. Some 13% claim they haven’t patched their web app frameworks or servers at all over the past 12 months. Of those that did, it takes over a third (38%) of them between seven and 30 days to do so. For a fifth (21%) it takes over a month. 

This is the kind of approach that landed Equifax in a heap of trouble, when it failed to promptly patch an Apache Struts 2 flaw, leading to a mega-breach which has so far cost it over $1.4 billion. It’s an extreme example, but one that highlights the potential risks for businesses.   

Another potential area of risk with web app environments is human error. A massive breach at US bank Capital One earlier this year, affecting around 100 million customers and applicants, was blamed on a misconfiguration of an open source WAF. 

Some 39% of respondents told Barracuda Networks they don’t have a WAF because they don’t process any sensitive info via their apps. But attacks aren’t just focused on stealing data, they can also impede mission critical services. WAFs are certainly not a silver bullet. But as part of a layered approach to cybersecurity they’re an important tool in the ongoing fight against business risk.

Conclusion

Growing confidence in cloud is enabling digital transformations across organisations of every shape and size, yet that confidence comes with a cautionary tale.  Attackers are also zeroing in on vulnerabilities and weaknesses that may have been ignored in the past, and many organisations are unaware of how these multi-layer attacks can unfold from a single access point.  Web Application security and cloud posture security are key weapons which customers must deploy to continue their digital transformations in a safe cloud. 

To ensure you are secure in the cloud, here are some tips:

  • Ensure you have WAFs protecting all your apps – don’t assume that just because an app doesn’t appear to have outside visitor engagement doesn’t mean it can’t be used as an attack vector.  Once discovered, attackers will exploit any found vulnerabilities and it may simply to gain access to your network and more valuable resources.  
  • Don’t leave app security in the hands of your development team.  They aren’t security experts, nor do you pay them to be – you pay them to build great products.  
  • Deploy a Cloud Security Posture Management solution – not only will this eliminate many security risks and failures, along with providing your development team with necessary guardrails to “build secure,” it greatly simplifies remediation and speeds investigations when issues do arise.